diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md
index c21db265..aa5279e1 100644
--- a/examples/iam-role-for-service-accounts-eks/README.md
+++ b/examples/iam-role-for-service-accounts-eks/README.md
@@ -30,12 +30,16 @@ No providers.
| Name | Source | Version |
|------|--------|---------|
+| [amazon\_managed\_service\_prometheus\_irsa\_role](#module\_amazon\_managed\_service\_prometheus\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
+| [cert\_manager\_irsa\_role](#module\_cert\_manager\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| [disabled](#module\_disabled) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.6 |
| [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
+| [external\_secrets\_irsa\_role](#module\_external\_secrets\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
+| [fsx\_lustre\_csi\_irsa\_role](#module\_fsx\_lustre\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| [irsa\_role](#module\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| [karpenter\_controller\_irsa\_role](#module\_karpenter\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| [load\_balancer\_controller\_irsa\_role](#module\_load\_balancer\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf
index cecfa691..2922b629 100644
--- a/examples/iam-role-for-service-accounts-eks/main.tf
+++ b/examples/iam-role-for-service-accounts-eks/main.tf
@@ -47,34 +47,34 @@ module "irsa_role" {
tags = local.tags
}
-module "cluster_autoscaler_irsa_role" {
+module "cert_manager_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"
- role_name = "cluster-autoscaler"
- attach_cluster_autoscaler_policy = true
- cluster_autoscaler_cluster_ids = [module.eks.cluster_id]
+ role_name = "cert-manager"
+ attach_external_dns_policy = true
+ cert_manager_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"]
oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
- namespace_service_accounts = ["kube-system:cluster-autoscaler"]
+ namespace_service_accounts = ["kube-system:cert-manager"]
}
}
tags = local.tags
}
-module "external_dns_irsa_role" {
+module "cluster_autoscaler_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"
- role_name = "external-dns"
- attach_external_dns_policy = true
- external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"]
+ role_name = "cluster-autoscaler"
+ attach_cluster_autoscaler_policy = true
+ cluster_autoscaler_cluster_ids = [module.eks.cluster_id]
oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
- namespace_service_accounts = ["default:my-app", "canary:my-app"]
+ namespace_service_accounts = ["kube-system:cluster-autoscaler"]
}
}
@@ -113,54 +113,53 @@ module "efs_csi_irsa_role" {
tags = local.tags
}
-module "vpc_cni_ipv4_irsa_role" {
+module "external_dns_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"
- role_name = "vpc-cni-ipv4"
- attach_vpc_cni_policy = true
- vpc_cni_enable_ipv4 = true
+ role_name = "external-dns"
+ attach_external_dns_policy = true
+ external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"]
oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
- namespace_service_accounts = ["kube-system:aws-vpc-cni"]
+ namespace_service_accounts = ["kube-system:external-dns"]
}
}
tags = local.tags
}
-module "vpc_cni_ipv6_irsa_role" {
+module "external_secrets_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"
- role_name = "vpc-cni-ipv6"
- attach_vpc_cni_policy = true
- vpc_cni_enable_ipv6 = true
+ role_name = "external-secrets"
+ attach_external_secrets_policy = true
+ external_secrets_ssm_parameter_arns = ["arn:aws:ssm:*:*:parameter/foo"]
+ external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"]
oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
- namespace_service_accounts = ["kube-system:aws-vpc-cni"]
+ namespace_service_accounts = ["default:kubernetes-external-secrets"]
}
}
tags = local.tags
}
-module "node_termination_handler_irsa_role" {
+module "fsx_lustre_csi_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"
- role_name = "node-termination-handler"
- attach_node_termination_handler_policy = true
+ role_name = "fsx-lustre-csi"
+ attach_fsx_lustre_csi_policy = true
oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
- namespace_service_accounts = ["kube-system:aws-node"]
+ namespace_service_accounts = ["kube-system:fsx-csi-controller-sa"]
}
}
-
- tags = local.tags
}
module "karpenter_controller_irsa_role" {
@@ -214,6 +213,72 @@ module "load_balancer_controller_targetgroup_binding_only_irsa_role" {
tags = local.tags
}
+module "amazon_managed_service_prometheus_irsa_role" {
+ source = "../../modules/iam-role-for-service-accounts-eks"
+
+ role_name = "amazon-managed-service-prometheus"
+ attach_amazon_managed_service_prometheus_policy = true
+
+ oidc_providers = {
+ ex = {
+ provider_arn = module.eks.oidc_provider_arn
+ namespace_service_accounts = ["prometheus:amp-ingest"]
+ }
+ }
+
+ tags = local.tags
+}
+
+module "node_termination_handler_irsa_role" {
+ source = "../../modules/iam-role-for-service-accounts-eks"
+
+ role_name = "node-termination-handler"
+ attach_node_termination_handler_policy = true
+
+ oidc_providers = {
+ ex = {
+ provider_arn = module.eks.oidc_provider_arn
+ namespace_service_accounts = ["kube-system:aws-node"]
+ }
+ }
+
+ tags = local.tags
+}
+
+module "vpc_cni_ipv4_irsa_role" {
+ source = "../../modules/iam-role-for-service-accounts-eks"
+
+ role_name = "vpc-cni-ipv4"
+ attach_vpc_cni_policy = true
+ vpc_cni_enable_ipv4 = true
+
+ oidc_providers = {
+ ex = {
+ provider_arn = module.eks.oidc_provider_arn
+ namespace_service_accounts = ["kube-system:aws-vpc-cni"]
+ }
+ }
+
+ tags = local.tags
+}
+
+module "vpc_cni_ipv6_irsa_role" {
+ source = "../../modules/iam-role-for-service-accounts-eks"
+
+ role_name = "vpc-cni-ipv6"
+ attach_vpc_cni_policy = true
+ vpc_cni_enable_ipv6 = true
+
+ oidc_providers = {
+ ex = {
+ provider_arn = module.eks.oidc_provider_arn
+ namespace_service_accounts = ["kube-system:aws-vpc-cni"]
+ }
+ }
+
+ tags = local.tags
+}
+
################################################################################
# Supporting Resources
################################################################################
diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md
index 6e5bf3ae..ad944d72 100644
--- a/modules/iam-role-for-service-accounts-eks/README.md
+++ b/modules/iam-role-for-service-accounts-eks/README.md
@@ -1,15 +1,19 @@
# IAM Role for Service Accounts in EKS
Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s with optional policies for commonly used controllers/custom resources within EKS. The optional policies supported include:
+- [Cert-Manager](https://cert-manager.io/docs/configuration/acme/dns01/route53/#set-up-an-iam-role)
- [Cluster Autoscaler](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md)
-- [External DNS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy)
- [EBS CSI Driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/example-iam-policy.json)
- [EFS CSI Driver](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json)
-- [VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html)
-- [Node Termination Handler](https://github.com/aws/aws-node-termination-handler#5-create-an-iam-role-for-the-pods)
+- [External DNS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy)
+- [External Secrets](https://github.com/external-secrets/kubernetes-external-secrets#add-a-secret)
+- [FSx for Lustre CSI Driver](https://github.com/kubernetes-sigs/aws-fsx-csi-driver/blob/master/docs/README.md)
- [Karpenter](https://github.com/aws/karpenter/blob/main/website/content/en/preview/getting-started/cloudformation.yaml)
- [Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json)
- [Load Balancer Controller Target Group Binding Only](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/installation/#iam-permission-subset-for-those-who-use-targetgroupbinding-only-and-dont-plan-to-use-the-aws-load-balancer-controller-to-manage-security-group-rules)
+- [Managed Service for Prometheus](https://docs.aws.amazon.com/prometheus/latest/userguide/set-up-irsa.html)
+- [Node Termination Handler](https://github.com/aws/aws-node-termination-handler#5-create-an-iam-role-for-the-pods)
+- [VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html)
This module is intended to be used with AWS EKS. For details of how a `ServiceAccount` in EKS can assume an IAM role, see the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
@@ -110,20 +114,28 @@ No modules.
| Name | Type |
|------|------|
+| [aws_iam_policy.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -131,10 +143,14 @@ No modules.
| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -147,28 +163,37 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [amazon\_managed\_service\_prometheus\_workspace\_arns](#input\_amazon\_managed\_service\_prometheus\_workspace\_arns) | List of AMP Workspace ARNs to read and write metrics | `list(string)` | [
"*"
]
| no |
| [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no |
+| [attach\_amazon\_managed\_service\_prometheus\_policy](#input\_attach\_amazon\_managed\_service\_prometheus\_policy) | Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role | `bool` | `false` | no |
+| [attach\_cert\_manager\_policy](#input\_attach\_cert\_manager\_policy) | Determines whether to attach the Cert Manager IAM policy to the role | `bool` | `false` | no |
| [attach\_cluster\_autoscaler\_policy](#input\_attach\_cluster\_autoscaler\_policy) | Determines whether to attach the Cluster Autoscaler IAM policy to the role | `bool` | `false` | no |
| [attach\_ebs\_csi\_policy](#input\_attach\_ebs\_csi\_policy) | Determines whether to attach the EBS CSI IAM policy to the role | `bool` | `false` | no |
| [attach\_efs\_csi\_policy](#input\_attach\_efs\_csi\_policy) | Determines whether to attach the EFS CSI IAM policy to the role | `bool` | `false` | no |
| [attach\_external\_dns\_policy](#input\_attach\_external\_dns\_policy) | Determines whether to attach the External DNS IAM policy to the role | `bool` | `false` | no |
+| [attach\_external\_secrets\_policy](#input\_attach\_external\_secrets\_policy) | Determines whether to attach the External Secrets policy to the role | `bool` | `false` | no |
+| [attach\_fsx\_lustre\_csi\_policy](#input\_attach\_fsx\_lustre\_csi\_policy) | Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role | `bool` | `false` | no |
| [attach\_karpenter\_controller\_policy](#input\_attach\_karpenter\_controller\_policy) | Determines whether to attach the Karpenter Controller policy to the role | `bool` | `false` | no |
| [attach\_load\_balancer\_controller\_policy](#input\_attach\_load\_balancer\_controller\_policy) | Determines whether to attach the Load Balancer Controller policy to the role | `bool` | `false` | no |
| [attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy](#input\_attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy) | Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only | `bool` | `false` | no |
| [attach\_node\_termination\_handler\_policy](#input\_attach\_node\_termination\_handler\_policy) | Determines whether to attach the Node Termination Handler policy to the role | `bool` | `false` | no |
| [attach\_vpc\_cni\_policy](#input\_attach\_vpc\_cni\_policy) | Determines whether to attach the VPC CNI IAM policy to the role | `bool` | `false` | no |
+| [cert\_manager\_hosted\_zone\_arns](#input\_cert\_manager\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow Cert manager to manage records | `list(string)` | [
"arn:aws:route53:::hostedzone/*"
]
| no |
| [cluster\_autoscaler\_cluster\_ids](#input\_cluster\_autoscaler\_cluster\_ids) | List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy | `list(string)` | `[]` | no |
| [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `true` | no |
| [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | KMS CMK IDs to allow EBS CSI to manage encrypted volumes | `list(string)` | `[]` | no |
-| [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow external DNS to manage records | `list(string)` | [
"arn:aws:route53:::hostedzone/*"
]
| no |
+| [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow External DNS to manage records | `list(string)` | [
"arn:aws:route53:::hostedzone/*"
]
| no |
+| [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | [
"arn:aws:secretsmanager:*:*:secret:*"
]
| no |
+| [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | [
"arn:aws:ssm:*:*:parameter/*"
]
| no |
| [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no |
+| [fsx\_lustre\_csi\_service\_role\_arns](#input\_fsx\_lustre\_csi\_service\_role\_arns) | Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles | `list(string)` | [
"arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"
]
| no |
| [karpenter\_controller\_cluster\_id](#input\_karpenter\_controller\_cluster\_id) | Cluster ID where the Karpenter controller is provisioned/managing | `string` | `"*"` | no |
| [karpenter\_controller\_node\_iam\_role\_arns](#input\_karpenter\_controller\_node\_iam\_role\_arns) | List of node IAM role ARNs Karpenter can use to launch nodes | `list(string)` | [
"*"
]
| no |
| [karpenter\_controller\_ssm\_parameter\_arns](#input\_karpenter\_controller\_ssm\_parameter\_arns) | List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter | `list(string)` | [
"arn:aws:ssm:*:*:parameter/aws/service/*"
]
| no |
| [karpenter\_tag\_key](#input\_karpenter\_tag\_key) | Tag key (`{key = value}`) applied to resources launched by Karpenter through the Karpenter provisioner | `string` | `"karpenter.sh/discovery"` | no |
| [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no |
| [node\_termination\_handler\_sqs\_queue\_arns](#input\_node\_termination\_handler\_sqs\_queue\_arns) | List of SQS ARNs that contain node termination events | `list(string)` | [
"*"
]
| no |
-| [oidc\_providers](#input\_oidc\_providers) | Map of OIDC providers where each provdier map should contain the `provider`, `provider_arns`, and `namespace_service_accounts` | `any` | `{}` | no |
+| [oidc\_providers](#input\_oidc\_providers) | Map of OIDC providers where each provider map should contain the `provider`, `provider_arn`, and `namespace_service_accounts` | `any` | `{}` | no |
| [role\_description](#input\_role\_description) | IAM Role description | `string` | `null` | no |
| [role\_name](#input\_role\_name) | Name of IAM role | `string` | `null` | no |
| [role\_name\_prefix](#input\_role\_name\_prefix) | IAM role name prefix | `string` | `null` | no |
diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
index af2f91c9..16b09e79 100644
--- a/modules/iam-role-for-service-accounts-eks/policies.tf
+++ b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -7,6 +7,52 @@ locals {
dns_suffix = data.aws_partition.current.dns_suffix
}
+################################################################################
+# Cert Manager Policy
+################################################################################
+
+# https://cert-manager.io/docs/configuration/acme/dns01/route53/#set-up-an-iam-role
+data "aws_iam_policy_document" "cert_manager" {
+ count = var.create_role && var.attach_cert_manager_policy ? 1 : 0
+
+ statement {
+ actions = ["route53:GetChange"]
+ resources = ["arn:aws:route53:::change/*"]
+ }
+
+ statement {
+ actions = [
+ "route53:ChangeResourceRecordSets",
+ "route53:ListResourceRecordSets"
+ ]
+
+ resources = var.cert_manager_hosted_zone_arns
+ }
+
+ statement {
+ actions = ["route53:ListHostedZonesByName"]
+ resources = ["*"]
+ }
+}
+
+resource "aws_iam_policy" "cert_manager" {
+ count = var.create_role && var.attach_cert_manager_policy ? 1 : 0
+
+ name_prefix = "AmazonEKS_Cert_Manager_Policy-"
+ path = var.role_path
+ description = "Cert Manager policy to allow management of Route53 hosted zone records"
+ policy = data.aws_iam_policy_document.cert_manager[0].json
+
+ tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "cert_manager" {
+ count = var.create_role && var.attach_cert_manager_policy ? 1 : 0
+
+ role = aws_iam_role.this[0].name
+ policy_arn = aws_iam_policy.cert_manager[0].arn
+}
+
################################################################################
# Cluster Autoscaler Policy
################################################################################
@@ -66,47 +112,6 @@ resource "aws_iam_role_policy_attachment" "cluster_autoscaler" {
policy_arn = aws_iam_policy.cluster_autoscaler[0].arn
}
-################################################################################
-# External DNS Policy
-################################################################################
-
-# https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy
-data "aws_iam_policy_document" "external_dns" {
- count = var.create_role && var.attach_external_dns_policy ? 1 : 0
-
- statement {
- actions = ["route53:ChangeResourceRecordSets"]
- resources = var.external_dns_hosted_zone_arns
- }
-
- statement {
- actions = [
- "route53:ListHostedZones",
- "route53:ListResourceRecordSets",
- ]
-
- resources = ["*"]
- }
-}
-
-resource "aws_iam_policy" "external_dns" {
- count = var.create_role && var.attach_external_dns_policy ? 1 : 0
-
- name_prefix = "AmazonEKS_External_DNS_Policy-"
- path = var.role_path
- description = "External DNS policy to allow management of Route53 hosted zone records"
- policy = data.aws_iam_policy_document.external_dns[0].json
-
- tags = var.tags
-}
-
-resource "aws_iam_role_policy_attachment" "external_dns" {
- count = var.create_role && var.attach_external_dns_policy ? 1 : 0
-
- role = aws_iam_role.this[0].name
- policy_arn = aws_iam_policy.external_dns[0].arn
-}
-
################################################################################
# EBS CSI Policy
################################################################################
@@ -303,120 +308,201 @@ resource "aws_iam_role_policy_attachment" "ebs_csi" {
}
################################################################################
-# VPC CNI Policy
+# EFS CSI Driver Policy
################################################################################
-data "aws_iam_policy_document" "vpc_cni" {
- count = var.create_role && var.attach_vpc_cni_policy ? 1 : 0
+# https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json
+data "aws_iam_policy_document" "efs_csi" {
+ count = var.create_role && var.attach_efs_csi_policy ? 1 : 0
- # arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
- dynamic "statement" {
- for_each = var.vpc_cni_enable_ipv4 ? [1] : []
- content {
- sid = "IPV4"
- actions = [
- "ec2:AssignPrivateIpAddresses",
- "ec2:AttachNetworkInterface",
- "ec2:CreateNetworkInterface",
- "ec2:DeleteNetworkInterface",
- "ec2:DescribeInstances",
- "ec2:DescribeTags",
- "ec2:DescribeNetworkInterfaces",
- "ec2:DescribeInstanceTypes",
- "ec2:DetachNetworkInterface",
- "ec2:ModifyNetworkInterfaceAttribute",
- "ec2:UnassignPrivateIpAddresses",
- ]
- resources = ["*"]
- }
+ statement {
+ actions = [
+ "elasticfilesystem:DescribeAccessPoints",
+ "elasticfilesystem:DescribeFileSystems",
+ ]
+
+ resources = ["*"]
}
- # https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy
- dynamic "statement" {
- for_each = var.vpc_cni_enable_ipv6 ? [1] : []
- content {
- sid = "IPV6"
- actions = [
- "ec2:AssignIpv6Addresses",
- "ec2:DescribeInstances",
- "ec2:DescribeTags",
- "ec2:DescribeNetworkInterfaces",
- "ec2:DescribeInstanceTypes",
- ]
- resources = ["*"]
+ statement {
+ actions = ["elasticfilesystem:CreateAccessPoint"]
+ resources = ["*"]
+
+ condition {
+ test = "StringLike"
+ variable = "aws:RequestTag/efs.csi.aws.com/cluster"
+ values = ["true"]
}
}
statement {
- sid = "CreateTags"
- actions = ["ec2:CreateTags"]
- resources = ["arn:${local.partition}:ec2:*:*:network-interface/*"]
+ actions = ["elasticfilesystem:DeleteAccessPoint"]
+ resources = ["*"]
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
+ values = ["true"]
+ }
}
}
-resource "aws_iam_policy" "vpc_cni" {
- count = var.create_role && var.attach_vpc_cni_policy ? 1 : 0
+resource "aws_iam_policy" "efs_csi" {
+ count = var.create_role && var.attach_efs_csi_policy ? 1 : 0
- name_prefix = "AmazonEKS_CNI_Policy-"
+ name_prefix = "AmazonEKS_EFS_CSI_Policy-"
path = var.role_path
- description = "Provides the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) the permissions it requires to modify the IPv4/IPv6 address configuration on your EKS worker nodes"
- policy = data.aws_iam_policy_document.vpc_cni[0].json
+ description = "Provides permissions to manage EFS volumes via the container storage interface driver"
+ policy = data.aws_iam_policy_document.efs_csi[0].json
tags = var.tags
}
-resource "aws_iam_role_policy_attachment" "vpc_cni" {
- count = var.create_role && var.attach_vpc_cni_policy ? 1 : 0
+resource "aws_iam_role_policy_attachment" "efs_csi" {
+ count = var.create_role && var.attach_efs_csi_policy ? 1 : 0
role = aws_iam_role.this[0].name
- policy_arn = aws_iam_policy.vpc_cni[0].arn
+ policy_arn = aws_iam_policy.efs_csi[0].arn
}
################################################################################
-# Node Termination Handler Policy
+# External DNS Policy
################################################################################
-# https://github.com/aws/aws-node-termination-handler#5-create-an-iam-role-for-the-pods
-data "aws_iam_policy_document" "node_termination_handler" {
- count = var.create_role && var.attach_node_termination_handler_policy ? 1 : 0
+# https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy
+data "aws_iam_policy_document" "external_dns" {
+ count = var.create_role && var.attach_external_dns_policy ? 1 : 0
+
+ statement {
+ actions = ["route53:ChangeResourceRecordSets"]
+ resources = var.external_dns_hosted_zone_arns
+ }
statement {
actions = [
- "autoscaling:CompleteLifecycleAction",
- "autoscaling:DescribeAutoScalingInstances",
- "autoscaling:DescribeTags",
- "ec2:DescribeInstances",
+ "route53:ListHostedZones",
+ "route53:ListResourceRecordSets",
]
resources = ["*"]
}
+}
+
+resource "aws_iam_policy" "external_dns" {
+ count = var.create_role && var.attach_external_dns_policy ? 1 : 0
+
+ name_prefix = "AmazonEKS_External_DNS_Policy-"
+ path = var.role_path
+ description = "External DNS policy to allow management of Route53 hosted zone records"
+ policy = data.aws_iam_policy_document.external_dns[0].json
+
+ tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "external_dns" {
+ count = var.create_role && var.attach_external_dns_policy ? 1 : 0
+
+ role = aws_iam_role.this[0].name
+ policy_arn = aws_iam_policy.external_dns[0].arn
+}
+
+################################################################################
+# External Secrets Policy
+################################################################################
+
+# https://github.com/external-secrets/kubernetes-external-secrets#add-a-secret
+data "aws_iam_policy_document" "external_secrets" {
+ count = var.create_role && var.attach_external_secrets_policy ? 1 : 0
+
+ statement {
+ actions = ["ssm:GetParameter"]
+ resources = var.external_secrets_ssm_parameter_arns
+ }
statement {
actions = [
- "sqs:DeleteMessage",
- "sqs:ReceiveMessage",
+ "secretsmanager:GetResourcePolicy",
+ "secretsmanager:GetSecretValue",
+ "secretsmanager:DescribeSecret",
+ "secretsmanager:ListSecretVersionIds",
]
+ resources = var.external_secrets_secrets_manager_arns
+ }
+}
- resources = var.node_termination_handler_sqs_queue_arns
+resource "aws_iam_policy" "external_secrets" {
+ count = var.create_role && var.attach_external_secrets_policy ? 1 : 0
+
+ name_prefix = "AmazonEKS_External_Secrets_Policy-"
+ path = var.role_path
+ description = "Provides permissions to for External Secrets to retrieve secrets from AWS SSM and AWS Secrets Manager"
+ policy = data.aws_iam_policy_document.external_secrets[0].json
+
+ tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "external_secrets" {
+ count = var.create_role && var.attach_external_secrets_policy ? 1 : 0
+
+ role = aws_iam_role.this[0].name
+ policy_arn = aws_iam_policy.external_secrets[0].arn
+}
+
+################################################################################
+# FSx for Lustre CSI Driver Policy
+################################################################################
+
+# https://github.com/kubernetes-sigs/aws-fsx-csi-driver/blob/master/docs/README.md
+data "aws_iam_policy_document" "fsx_lustre_csi" {
+ count = var.create_role && var.attach_fsx_lustre_csi_policy ? 1 : 0
+
+ statement {
+ actions = [
+ "iam:CreateServiceLinkedRole",
+ "iam:AttachRolePolicy",
+ "iam:PutRolePolicy"
+ ]
+ resources = var.fsx_lustre_csi_service_role_arns
+ }
+
+ statement {
+ actions = ["iam:CreateServiceLinkedRole"]
+ resources = ["*"]
+ condition {
+ test = "StringLike"
+ variable = "iam:AWSServiceName"
+ values = ["fsx.${local.dns_suffix}"]
+ }
+ }
+
+ statement {
+ actions = [
+ "s3:ListBucket",
+ "fsx:CreateFileSystem",
+ "fsx:DeleteFileSystem",
+ "fsx:DescribeFileSystems",
+ "fsx:TagResource",
+ ]
+ resources = ["*"]
}
}
-resource "aws_iam_policy" "node_termination_handler" {
- count = var.create_role && var.attach_node_termination_handler_policy ? 1 : 0
+resource "aws_iam_policy" "fsx_lustre_csi" {
+ count = var.create_role && var.attach_fsx_lustre_csi_policy ? 1 : 0
- name_prefix = "AmazonEKS_Node_Termination_Handler_Policy-"
+ name_prefix = "AmazonEKS_FSx_Lustre_CSI_Policy-"
path = var.role_path
- description = "Provides permissions to handle node termination events via the Node Termination Handler"
- policy = data.aws_iam_policy_document.node_termination_handler[0].json
+ description = "Provides permissions to manage FSx Lustre volumes via the container storage interface driver"
+ policy = data.aws_iam_policy_document.fsx_lustre_csi[0].json
tags = var.tags
}
-resource "aws_iam_role_policy_attachment" "node_termination_handler" {
- count = var.create_role && var.attach_node_termination_handler_policy ? 1 : 0
+resource "aws_iam_role_policy_attachment" "fsx_lustre_csi" {
+ count = var.create_role && var.attach_fsx_lustre_csi_policy ? 1 : 0
role = aws_iam_role.this[0].name
- policy_arn = aws_iam_policy.node_termination_handler[0].arn
+ policy_arn = aws_iam_policy.fsx_lustre_csi[0].arn
}
################################################################################
@@ -809,59 +895,157 @@ resource "aws_iam_role_policy_attachment" "load_balancer_controller_targetgroup_
}
################################################################################
-# EFS CSI Driver Policy
+# Amazon Managed Service for Prometheus Policy
################################################################################
-# https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json
-data "aws_iam_policy_document" "efs_csi" {
- count = var.create_role && var.attach_efs_csi_policy ? 1 : 0
+# https://docs.aws.amazon.com/prometheus/latest/userguide/set-up-irsa.html
+data "aws_iam_policy_document" "amazon_managed_service_prometheus" {
+ count = var.create_role && var.attach_amazon_managed_service_prometheus_policy ? 1 : 0
statement {
actions = [
- "elasticfilesystem:DescribeAccessPoints",
- "elasticfilesystem:DescribeFileSystems",
+ "aps:RemoteWrite",
+ "aps:QueryMetrics",
+ "aps:GetSeries",
+ "aps:GetLabels",
+ "aps:GetMetricMetadata",
]
- resources = ["*"]
+ resources = var.amazon_managed_service_prometheus_workspace_arns
}
+}
+
+resource "aws_iam_policy" "amazon_managed_service_prometheus" {
+ count = var.create_role && var.attach_amazon_managed_service_prometheus_policy ? 1 : 0
+
+ name_prefix = "AmazonEKS_Managed_Service_Prometheus_Policy-"
+ path = var.role_path
+ description = "Provides permissions to for Amazon Managed Service for Prometheus"
+ policy = data.aws_iam_policy_document.amazon_managed_service_prometheus[0].json
+
+ tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "amazon_managed_service_prometheus" {
+ count = var.create_role && var.attach_amazon_managed_service_prometheus_policy ? 1 : 0
+
+ role = aws_iam_role.this[0].name
+ policy_arn = aws_iam_policy.amazon_managed_service_prometheus[0].arn
+}
+
+################################################################################
+# Node Termination Handler Policy
+################################################################################
+
+# https://github.com/aws/aws-node-termination-handler#5-create-an-iam-role-for-the-pods
+data "aws_iam_policy_document" "node_termination_handler" {
+ count = var.create_role && var.attach_node_termination_handler_policy ? 1 : 0
statement {
- actions = ["elasticfilesystem:CreateAccessPoint"]
- resources = ["*"]
+ actions = [
+ "autoscaling:CompleteLifecycleAction",
+ "autoscaling:DescribeAutoScalingInstances",
+ "autoscaling:DescribeTags",
+ "ec2:DescribeInstances",
+ ]
- condition {
- test = "StringLike"
- variable = "aws:RequestTag/efs.csi.aws.com/cluster"
- values = ["true"]
- }
+ resources = ["*"]
}
statement {
- actions = ["elasticfilesystem:DeleteAccessPoint"]
- resources = ["*"]
+ actions = [
+ "sqs:DeleteMessage",
+ "sqs:ReceiveMessage",
+ ]
- condition {
- test = "StringEquals"
- variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
- values = ["true"]
+ resources = var.node_termination_handler_sqs_queue_arns
+ }
+}
+
+resource "aws_iam_policy" "node_termination_handler" {
+ count = var.create_role && var.attach_node_termination_handler_policy ? 1 : 0
+
+ name_prefix = "AmazonEKS_Node_Termination_Handler_Policy-"
+ path = var.role_path
+ description = "Provides permissions to handle node termination events via the Node Termination Handler"
+ policy = data.aws_iam_policy_document.node_termination_handler[0].json
+
+ tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "node_termination_handler" {
+ count = var.create_role && var.attach_node_termination_handler_policy ? 1 : 0
+
+ role = aws_iam_role.this[0].name
+ policy_arn = aws_iam_policy.node_termination_handler[0].arn
+}
+
+################################################################################
+# VPC CNI Policy
+################################################################################
+
+data "aws_iam_policy_document" "vpc_cni" {
+ count = var.create_role && var.attach_vpc_cni_policy ? 1 : 0
+
+ # arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
+ dynamic "statement" {
+ for_each = var.vpc_cni_enable_ipv4 ? [1] : []
+ content {
+ sid = "IPV4"
+ actions = [
+ "ec2:AssignPrivateIpAddresses",
+ "ec2:AttachNetworkInterface",
+ "ec2:CreateNetworkInterface",
+ "ec2:DeleteNetworkInterface",
+ "ec2:DescribeInstances",
+ "ec2:DescribeTags",
+ "ec2:DescribeNetworkInterfaces",
+ "ec2:DescribeInstanceTypes",
+ "ec2:DetachNetworkInterface",
+ "ec2:ModifyNetworkInterfaceAttribute",
+ "ec2:UnassignPrivateIpAddresses",
+ ]
+ resources = ["*"]
}
}
+
+ # https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy
+ dynamic "statement" {
+ for_each = var.vpc_cni_enable_ipv6 ? [1] : []
+ content {
+ sid = "IPV6"
+ actions = [
+ "ec2:AssignIpv6Addresses",
+ "ec2:DescribeInstances",
+ "ec2:DescribeTags",
+ "ec2:DescribeNetworkInterfaces",
+ "ec2:DescribeInstanceTypes",
+ ]
+ resources = ["*"]
+ }
+ }
+
+ statement {
+ sid = "CreateTags"
+ actions = ["ec2:CreateTags"]
+ resources = ["arn:${local.partition}:ec2:*:*:network-interface/*"]
+ }
}
-resource "aws_iam_policy" "efs_csi" {
- count = var.create_role && var.attach_efs_csi_policy ? 1 : 0
+resource "aws_iam_policy" "vpc_cni" {
+ count = var.create_role && var.attach_vpc_cni_policy ? 1 : 0
- name_prefix = "AmazonEKS_EFS_CSI_Policy-"
+ name_prefix = "AmazonEKS_CNI_Policy-"
path = var.role_path
- description = "Provides permissions to manage EFS volumes via the container storage interface driver"
- policy = data.aws_iam_policy_document.efs_csi[0].json
+ description = "Provides the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) the permissions it requires to modify the IPv4/IPv6 address configuration on your EKS worker nodes"
+ policy = data.aws_iam_policy_document.vpc_cni[0].json
tags = var.tags
}
-resource "aws_iam_role_policy_attachment" "efs_csi" {
- count = var.create_role && var.attach_efs_csi_policy ? 1 : 0
+resource "aws_iam_role_policy_attachment" "vpc_cni" {
+ count = var.create_role && var.attach_vpc_cni_policy ? 1 : 0
role = aws_iam_role.this[0].name
- policy_arn = aws_iam_policy.efs_csi[0].arn
+ policy_arn = aws_iam_policy.vpc_cni[0].arn
}
diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf
index b8f430e2..65ccacdd 100644
--- a/modules/iam-role-for-service-accounts-eks/variables.tf
+++ b/modules/iam-role-for-service-accounts-eks/variables.tf
@@ -41,7 +41,7 @@ variable "role_policy_arns" {
}
variable "oidc_providers" {
- description = "Map of OIDC providers where each provdier map should contain the `provider`, `provider_arns`, and `namespace_service_accounts`"
+ description = "Map of OIDC providers where each provider map should contain the `provider`, `provider_arn`, and `namespace_service_accounts`"
type = any
default = {}
}
@@ -74,30 +74,30 @@ variable "assume_role_condition_test" {
# Policies
################################################################################
-# Cluster autoscaler
-variable "attach_cluster_autoscaler_policy" {
- description = "Determines whether to attach the Cluster Autoscaler IAM policy to the role"
+# Cert Manager
+variable "attach_cert_manager_policy" {
+ description = "Determines whether to attach the Cert Manager IAM policy to the role"
type = bool
default = false
}
-variable "cluster_autoscaler_cluster_ids" {
- description = "List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy"
+variable "cert_manager_hosted_zone_arns" {
+ description = "Route53 hosted zone ARNs to allow Cert manager to manage records"
type = list(string)
- default = []
+ default = ["arn:aws:route53:::hostedzone/*"]
}
-# External DNS
-variable "attach_external_dns_policy" {
- description = "Determines whether to attach the External DNS IAM policy to the role"
+# Cluster autoscaler
+variable "attach_cluster_autoscaler_policy" {
+ description = "Determines whether to attach the Cluster Autoscaler IAM policy to the role"
type = bool
default = false
}
-variable "external_dns_hosted_zone_arns" {
- description = "Route53 hosted zone ARNs to allow external DNS to manage records"
+variable "cluster_autoscaler_cluster_ids" {
+ description = "List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy"
type = list(string)
- default = ["arn:aws:route53:::hostedzone/*"]
+ default = []
}
# EBS CSI
@@ -120,39 +120,52 @@ variable "attach_efs_csi_policy" {
default = false
}
-# VPC CNI
-variable "attach_vpc_cni_policy" {
- description = "Determines whether to attach the VPC CNI IAM policy to the role"
+# External DNS
+variable "attach_external_dns_policy" {
+ description = "Determines whether to attach the External DNS IAM policy to the role"
type = bool
default = false
}
-variable "vpc_cni_enable_ipv4" {
- description = "Determines whether to enable IPv4 permissions for VPC CNI policy"
- type = bool
- default = false
+variable "external_dns_hosted_zone_arns" {
+ description = "Route53 hosted zone ARNs to allow External DNS to manage records"
+ type = list(string)
+ default = ["arn:aws:route53:::hostedzone/*"]
}
-variable "vpc_cni_enable_ipv6" {
- description = "Determines whether to enable IPv6 permissions for VPC CNI policy"
+# External Secrets
+variable "attach_external_secrets_policy" {
+ description = "Determines whether to attach the External Secrets policy to the role"
type = bool
default = false
}
-# Node termination handler
-variable "attach_node_termination_handler_policy" {
- description = "Determines whether to attach the Node Termination Handler policy to the role"
+variable "external_secrets_ssm_parameter_arns" {
+ description = "List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets"
+ type = list(string)
+ default = ["arn:aws:ssm:*:*:parameter/*"]
+}
+
+variable "external_secrets_secrets_manager_arns" {
+ description = "List of Secrets Manager ARNs that contain secrets to mount using External Secrets"
+ type = list(string)
+ default = ["arn:aws:secretsmanager:*:*:secret:*"]
+}
+
+# FSx Lustre CSI
+variable "attach_fsx_lustre_csi_policy" {
+ description = "Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role"
type = bool
default = false
}
-variable "node_termination_handler_sqs_queue_arns" {
- description = "List of SQS ARNs that contain node termination events"
+variable "fsx_lustre_csi_service_role_arns" {
+ description = "Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles"
type = list(string)
- default = ["*"]
+ default = ["arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"]
}
-# Karpetner controller
+# Karpenter controller
variable "attach_karpenter_controller_policy" {
description = "Determines whether to attach the Karpenter Controller policy to the role"
type = bool
@@ -198,3 +211,48 @@ variable "attach_load_balancer_controller_targetgroup_binding_only_policy" {
type = bool
default = false
}
+
+# Amazon Managed Service for Prometheus
+variable "attach_amazon_managed_service_prometheus_policy" {
+ description = "Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role"
+ type = bool
+ default = false
+}
+
+variable "amazon_managed_service_prometheus_workspace_arns" {
+ description = "List of AMP Workspace ARNs to read and write metrics"
+ type = list(string)
+ default = ["*"]
+}
+
+# VPC CNI
+variable "attach_vpc_cni_policy" {
+ description = "Determines whether to attach the VPC CNI IAM policy to the role"
+ type = bool
+ default = false
+}
+
+variable "vpc_cni_enable_ipv4" {
+ description = "Determines whether to enable IPv4 permissions for VPC CNI policy"
+ type = bool
+ default = false
+}
+
+variable "vpc_cni_enable_ipv6" {
+ description = "Determines whether to enable IPv6 permissions for VPC CNI policy"
+ type = bool
+ default = false
+}
+
+# Node termination handler
+variable "attach_node_termination_handler_policy" {
+ description = "Determines whether to attach the Node Termination Handler policy to the role"
+ type = bool
+ default = false
+}
+
+variable "node_termination_handler_sqs_queue_arns" {
+ description = "List of SQS ARNs that contain node termination events"
+ type = list(string)
+ default = ["*"]
+}